Name | Version |
---|---|
terraform | >= 1.1.5 |
aws | ~> 5.38 |
Name | Version |
---|---|
aws | 5.18.1 |
aws.eu-west-2 | 5.18.1 |
aws.global | 5.18.1 |
Name | Source | Version |
---|---|---|
billing | ./modules/default_roles | n/a |
breakglass | ./modules/default_roles | n/a |
ci | ./modules/default_roles | n/a |
cloudtrail | ./modules/cloudtrail | n/a |
cloudwatch_loginsights_cis_queries_opg | ./modules/cis_queries | n/a |
cloudwatch_loginsights_cis_queries_provisioned | ./modules/cis_queries | n/a |
cloudwatch_reporting | ./modules/default_roles | n/a |
cost_anomaly_detection | ./modules/ce_anomaly_detection | n/a |
custom_cloudwatch_alarms | ./modules/custom_cloudwatch_alarms | n/a |
custom_cloudwatch_alarms_vendored | ./modules/custom_cloudwatch_alarms | n/a |
eu-west-1 | ./modules/region | n/a |
eu-west-2 | ./modules/region | n/a |
operator | ./modules/default_roles | n/a |
security_hub | ./modules/security_hub | n/a |
slack_notifications | ./modules/slack_notifications | n/a |
viewer | ./modules/default_roles | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_name | Account Name | string |
"" |
no |
auto_enable_controls | Whether to automatically enable new controls when they are added to standards that are enabled | bool |
true |
no |
aws_account_alternate_contact | The alternate contacts for the account. | object({ |
n/a | yes |
aws_account_primary_contact | The primary contact for the account. | object({ |
n/a | yes |
aws_config_enabled | n/a | bool |
false |
no |
aws_iam_account_alias | The AWS IAM Account Alias to use for the account | string |
n/a | yes |
aws_s3_account_block_public_access_enable | Whether Amazon S3 should enable public blocks for buckets in this account. Defaults to False. | bool |
false |
no |
aws_s3_account_block_public_acls | Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. | bool |
true |
no |
aws_s3_account_block_public_policy | Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. | bool |
true |
no |
aws_s3_account_ignore_public_acls | Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. | bool |
true |
no |
aws_s3_account_restrict_public_buckets | Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. | bool |
true |
no |
aws_security_hub_enabled | n/a | bool |
false |
no |
aws_slack_cost_anomaly_notification_channel | Slack's internal ID for the channel you want to post cost anomalies to. Format AB1C2DEF | string |
"" |
no |
aws_slack_health_notification_channel | Slack's internal ID for the channel you want to post health alrets to. Format AB1C2DEF | string |
"" |
no |
aws_slack_notifications_enabled | Whether to enable alerting to slack. To be used with slack cost/health notification channel. | bool |
false |
no |
billing_base_policy_arn | n/a | string |
"arn:aws:iam::aws:policy/job-function/Billing" |
no |
billing_custom_policy_json | n/a | string |
"" |
no |
breakglass_base_policy_arn | n/a | string |
"arn:aws:iam::aws:policy/AdministratorAccess" |
no |
breakglass_create_instance_profile | n/a | bool |
false |
no |
breakglass_custom_policy_json | n/a | string |
"" |
no |
ci_base_policy_arn | n/a | string |
"arn:aws:iam::aws:policy/AdministratorAccess" |
no |
ci_custom_policy_json | n/a | string |
"" |
no |
cis_foundation_alarms_enabled | Whether to create metrics alarms to support CIS Foundation compliance. Defaults to true. | bool |
true |
no |
cis_foundation_control_1_14_enabled | When true, creates a metric filter and alarm for CIS.1.14. When false, sets standard control to disabled. | bool |
false |
no |
cis_foundation_control_3_10_custom_filter | When provided, creates a custom metric filter and alarm for CIS.3.10 and disables the control in security hub. | string |
"" |
no |
cis_foundation_control_3_10_enabled | When true, creates a metric filter and alarm for CIS.3.10. When false, sets standard control to disabled. | bool |
true |
no |
cis_foundation_control_3_11_enabled | When true, creates a metric filter and alarm for CIS.3.11. When false, sets standard control to disabled. | bool |
true |
no |
cis_foundation_control_3_12_enabled | When true, creates a metric filter and alarm for CIS.3.12. When false, sets standard control to disabled. | bool |
true |
no |
cis_foundation_control_3_13_enabled | When true, creates a metric filter and alarm for CIS.3.13. When false, sets standard control to disabled. | bool |
true |
no |
cis_foundation_control_3_14_enabled | When true, creates a metric filter and alarm for CIS.3.14. When false, sets standard control to disabled. | bool |
true |
no |
cis_foundation_control_3_4_enabled | When true, creates a metric filter and alarm for CIS.3.4. When false, sets standard control to disabled. | bool |
true |
no |
cis_foundation_control_3_8_enabled | When true, creates a metric filter and alarm for CIS.3.8. When false, sets standard control to disabled. | bool |
true |
no |
cis_metric_namespace | The destination namespace of the CIS CloudWatch metric. | string |
"CISLogMetrics" |
no |
cloudtrail_bucket_name | trail name | string |
"cloudtrail" |
no |
cloudtrail_trail_name | trail name | string |
"cloudtrail" |
no |
config_continuous_resource_recording | Should the configuration recorder scan constantly or daily (set to false in dev accounts) | bool |
true |
no |
control_finding_generator | Updates whether the calling account has consolidated control findings turned on | string |
"STANDARD_CONTROL" |
no |
cost_anomaly_immediate_schedule_threshold | The value that triggers an immediate notification if the threshold is exceeded. By default, an absolute dollar value, but changing threshold_expression_type changes this to percentage. |
string |
"10.0" |
no |
cost_anomaly_notification_email_address | Email address to use to send anomaly alerts to | string |
null |
no |
cost_anomaly_threshold_expression_type | Setting passed to the threshold_expression to determine if the value (weekly_schedule_threshold|immediate_schedule_threshold) is an absolute (ANOMALY_TOTAL_IMPACT_ABSOLUTE) or percentage (ANOMALY_TOTAL_IMPACT_PERCENTAGE) | string |
"ANOMALY_TOTAL_IMPACT_ABSOLUTE" |
no |
cost_anomaly_weekly_schedule_threshold | The value that triggers a weekly notification if the threshold is exceeded. By default, an absolute dollar value, but changing threshold_expression_type changes this to percentage. |
string |
"100.0" |
no |
custom_alarms_breakglass_login_alarm_enabled | Enable or disable the breakglass login alarm | bool |
true |
no |
enable_default_standards | Whether to enable the security standards that Security Hub has designated as automatically enabled | bool |
false |
no |
enable_guardduty | n/a | bool |
true |
no |
fsbp_standard_control_elb_6_enabled | When false, sets standard control to disabled. | bool |
true |
no |
is_production | n/a | bool |
false |
no |
modernisation_platform_account | IF this is a vendored account from the Modernisation Platform | bool |
false |
no |
oam_xray_sink_identifier_arn | The identifier of the OAM Sink to duplicate XRay events to (if desired) | string |
null |
no |
operator_base_policy_arn | n/a | string |
"arn:aws:iam::aws:policy/ReadOnlyAccess" |
no |
operator_create_instance_profile | n/a | bool |
false |
no |
operator_custom_policy_json | n/a | string |
"" |
no |
pagerduty_securityhub_integration_key | The PagerDuty integration key to subscribe to SecurityHub findings | string |
null |
no |
product | n/a | string |
n/a | yes |
shield_support_role_enabled | Whether to create the Shield Support Role to allow AWS security engineers to access the account to assist with DDoS mitigation | bool |
false |
no |
team_email | Team group email address for use in tags | string |
"opgteam@digital.justice.gov.uk" |
no |
team_name | Name of the Team looking after the Service | string |
"OPG" |
no |
user_arns | n/a | object({ |
n/a | yes |
viewer_base_policy_arn | n/a | string |
"arn:aws:iam::aws:policy/ReadOnlyAccess" |
no |
viewer_custom_policy_json | n/a | string |
"" |
no |